Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Markus_Marquard
Contributor

Are custom sites (url) supposed to work with "Categorize HTTPS websites"?

As full HTTPS inspection was introducing too many issues for us, we decided to go with "Categorize HTTPS websites" setting enabled in Application Inspection settings.

However, we would still like to match custom URLs for http and https service by using "Custom site" objects in the policy.

We did some tests and the results are not very consistent, we have the following behavior:

- works correctly, policy matches, https traffic is allowed

- works only on the second https access to same site, the first one is blocked (no match)

- not working at all because the https site is using a certificate signed by their own CA (eg. RedHat subscription network)

So we were ending up using domain objects, although I would have preferred custom url because of possible wildcard/regex.

So my questions would be:

  • As for https the url will not be available from the tcp stream without full https inspection, will the Gateway do a match to the website's certificate CN? Is it supposed to work this way?
  • Is it also supposed to work with wildcard certficates used, eg. a certificate with cn "*.domain.com"?
  • What can be done if the https site in question is using a certificate signed by it's own ca? Is there a way to import a trusted ca not only for full https inspection, but also for this kind of certificate inspection?
8 Replies
Markus_Marquard
Contributor

Hi, reply to myself:

I found this interesting post, pointing out some the issues I've also found:

URL filtering without HTTPs inspection 

I would really like to see subjectAltName property  implemented in URL filtering!

Meital_Natanson
Employee
Employee

Hi,

We created HF for supporting SNI with 'categorize https sites' on top of R80.10 GW version.

Please contact me directly if this is interesting you (meitalna@checkpoint.com).

Thanks,

Meital

Pablo_Barriga
Advisor

Hello do you need any special configuration for that HF to work??

0 Kudos
Meital_Natanson
Employee
Employee

Hi,

The HF exists on top of R80.10 JHF T70.

Please contact me directly if you want to install it.

meitalna@checkpoint.com

Thanks,

Meital

0 Kudos
Meital_Natanson
Employee
Employee

Hi,

In categorize https sites we use the DN from the certificate in order to match the traffic.

 It should also work with custom urls and wild cards.

If the 'first connection' is not behaving like the next connections, check your categorization mode settings - you might want to change from background to hold.

we are not doing certificate inspection, but we are planning to support SNI categorization (we already have HF on top of R80.10 that support SNI).

If this might help you please contact me directly - meitalna@checkpoint.com.

Thanks,

Meital

0 Kudos
Kaspars_Zibarts
Authority
Authority

@Meital_Natanson this is a very old topic and I'm not even sure if you're still working with it. But what is the latest status of HTTPS categorization in R80.40? Is it possible to create custom sites using regex and wildcards?

I'm reading sk106623 and it says which basically says it's not possible for "HTTPS lite"

Important: Never use Regular Expression (Regex) for HTTPS websites when not using HTTPS inspection.

0 Kudos
Tobias_Moritz
Advisor

I can tell you from my own experience, that this is working in R80.40. We are using it that way on multiple gateways.

You only have to take care, that the HTTPS Inspection Trusted CA List is up to date and contains all Root CAs of the sites you want to use "HTTPS Inspection Lite" a.k.a. "Categorize HTTPS websites" with. This list is used, even if "HTTPS Inspection" (the full one) is not enabled on the gateway.

Kaspars_Zibarts
Authority
Authority

thanks @Tobias_Moritz at the ended I worked out the syntax and actual content that had to go into regex! 🙂

0 Kudos